Honeynet Project Reverse Challenge

Matt Messier, Bob Fleck, John Viega

Secure Software, Inc.

Abstract

A Distributed Denial of Service (DDoS) tool has been discovered on one of our servers.  A Denial of Service attack is an attack that is launched at either a single or a small number of hosts on a network to deny those hosts the ability to use their network, usually by saturating the network connection with useless data.  A Distributed Denial of Service attack is launched from a large number of hosts against either a single or a small number of hosts.  By distributing the source of attack, it is easier for the attacker to conceal himself, but more importantly, it provides the attacker with the ability to more easily and quickly saturate the target's network.

Details

This DDoS tool contains code to perform a variety of well-known denial of service attacks, similar to the attacks used against Yahoo, Amazon, and others in early 2000.  In addition, the tool provides the attacker that infected our systems with it to regain access to the system with full access without having to go to the effort that was initially required to gain access to the system initially; thus, circumventing any software security updates that are put into place after the trojan was introduced into the system.

Systems that the trojan has infected are vulnerable to attackers gaining root access to the machine.  Even systems that the trojan has not infected may also be vulnerable.  It is imperative that all machines are checked to ensure that the most recently available security patches have been applied to them.  If an attacker has the ability to break into a system, the attacker also has the ability to obtain any data stored on that system as well as any data that is accessible to that system from the network.  Additionally, it is also possible for an attacker to maliciously alter that data or destroy it.

Given the nature of this trojan, it is likely that the attacker is scanning to find as many hosts as possible to infect with it, and not seeking to steal data from or damage the data contained on any of the systems infected.  However, it must be assumed that any system compromised with this trojan has had data stolen from or damaged until further inverstigation can prove otherwise.

While a system on our network is not likely to be the target of an attack, when the trojan is awaked and an attack is launched, our network is likely to become saturated with the traffic necessary to deny service to the target of the attack.  In this case, network response time will become slow if there is any response at all.  In addition, our service provider will likely turn our access to the Internet off until such time as we are able to contain and disable the attacks originating from within our network.

To minimize the effects of this trojan, please provide the IT department with your full cooperation in eradicating it from our network.  Please check each of your systems to ensure that you are not infected with the trojan.  Methods for finding and removing the trojan are detailed in the technical advisory available from the IT department.

If the trojan is found to be running on any of your systems, please shut down the infected system and contact the IT department immediately for remediation.  Please also ensure that your system is running with the latest available security patches from the vendors of any software that you are running.  Contact the IT department for assistance.